It is a huge mistake to assume (like this DKos poster) that the optical scan machines used in NH are somehow more secure than the much-maligned touchscreen machines, which didn’t seem to be that widely used in the primary. Optical scanners can actually be less secure than touchscreens, because they’re just as easy to tamper with (sometimes more so) as the touchscreens, but there’s typically only one per precinct—an attacker therefore has a single point of failure to manipulate. The fact that optical scanners leave a paper record is totally irrelevant if a random audit of the results is not mandatory by law after every election. And in New Hampshire, there are no mandatory audits. As I’ve said before, mandating a paper trail without also requiring post-election audits is like buying a security system for your house and then not turning it on.

Ron Paul and his supporters may be a bit loopy, but they are 100 percent correct in insisting on some type of audit of the NH results—not because Hillary hacked the vote (I currently think there are better explanations for the results than vote hacking), but because such audits should always occur as a matter of course. Again, when you use an electronic voting system, you must audit the results if you want to have confidence in them.

Second, I want to congratulate lefty blog stalwart Josh Marshall on his apparent clairvoyance. Clearly, he has access to information about the integrity of the NH elections that has been denied to the public. In a post entitled “Enough,” Marshall decried “the notion that public opinion surveys and even exit poll data is so reliable that any substantial discrepancy between those numbers and the official result is prima facie evidence of tampering. That is simply absurd.”

He went on insist that “the possibility or danger of tampering is not a license to assume it or imagine it—in the absence of any evidence—any time the vote doesn’t go how we’d like.”

I single Marshall out not just because I’m a daily reader of his blog, but because the attitude exemplified in this post is typical of well-intentioned journalists who don’t really grasp what’s at stake in the e-voting debate. So let me clarify, for the benefit of Marshall and the others:

In a truly democratic election, the burden of proof is on the state to provide evidence of the election’s integrity. This sentiment is behind the idea that ballots should be counted under the watchful eyes of the public’s representatives. So elections are held to a much different standard than criminal proceedings, where the burden of proof is on the one who brings a charge of wrongdoing.

Right now, in the absence of an audit of the New Hampshire results, the state has not met the requirement that it prove to the public that the election was fair. This is what the fuss is about. New Hampshire does not have the manual audit requirement that is necessary to prove that an election was fair, so that state’s ballots were effectively counted in secret by closed-source machine code. When ballots are counted in secret and it’s up to the voters to prove that the election was rigged when they’re surprised by the results, that’s not the kind of democracy that the Founders had in mind for us.

Stokes goes on to point out that, if anything, Clinton and her supporters ought to be getting out in front on these issues, since it’s entirely easy to imagine a situation where Clinton wins the Democratic nomination and then wins the general election by a hair. Under such circumstances, do you think the modern right wing is going to miss any opportunity whatsoever to call the election results in question? As Stokes says, we could wind up with a standoff that makes us look back with nostalgia on 2000.

“New Hampshire does not have the manual audit requirement that is necessary to prove that an election was fair, so that state’s ballots were effectively counted in secret by closed-source machine code.” Please, political bloggers, get this point straight. The central problem isn’t touchscreens or Diebold, and moreover it doesn’t matter if the machine-counts generate paper printouts if we don’t know what’s going on inside the machines when they “count”. The central problem is closed-source, secret, unaccountable code—machine procedures that can’t be audited by independent outsiders. Voting-machine merchants typically defend the closed-source code inside their devices on patent and competetive grounds. We shouldn’t give a dime for this argument. We need our elections to be fair and to be perceived as fair far more than we need a voting-machine industry.

There are a bunch of fun attacks on opscan systems, including pretty high-end stuff like hacking the scanners to misreport results, medium-complex stuff like selectively monkeying around with the ballot definition files (so that in heavily Obama-leaning precincts, the file swaps Hillary and Obama) or misprinting ballots used in some places (so that Hillary and Obama are swapped, or so that votes for Obama are more likely to be counted as undervotes (because they're apparently out of the area that's supposed to be marked).

Paper isn't a magic election-cure. In fact, it kind of sucks for elections. Its one advantage is that we can actually come up with and run procedures that let us check up on the electronic voting machines, with varying levels of confidence.

Indeed. Many people have been working since 2000 to move the problems with electronic voting and tabulation into the public's and more importantly the media's consciousness. If it takes exploiting the media's insane hatred of Hillary Clinton to do it, then so be it.

The change to voting technology with shrouded mechanisms is a recent thing. Even with voting booths (which seem to exist only in NY and no where else), you can follow the mechanisms to verify that when a voter pulls the lever, the booth has registered the vote for the correct candidate.

Voting machine manufacturers didn't need to shroud their mechanisms to be competitive before. They don't need to now.

The whole process needs to be auditable - and that includes identifying who voted (not who they voted for but whether people voted at all) and ensuring that they onöy voted once. I.e. a voter has to show a reasonable ID.

It is utterly beyond me why Diebold and other vote machine makers do not use open source software and publicise their code so that it can be subject to proper analysis. This applies just as much to optical scan stuff as to more electronic ones.

[Aside: It also blows me away to learn that these machines tend to run an entire windows OS and dedicated stack. What is wrong with a web browser session? ]

These aren't new machines - they're the same scanners that have been used in all the past elections that I remember, going back to the mid '90s. They're freestanding optical readers (they don't hook into some central computer) that read the black dots like SAT tests, as the physical cards are slid in, and the ballots are done in large type with large ovals to fill in and lots of space between them, making it very difficult to have any kind of visual "hanging chad" situation.

The last presidential election, the turnout was (again) vastly higher than expected, and a number of townships had to do manual counts anyway, because they ran out of preprinted ballot cards and had to photocopy more, which were then too thin and flexible to be run through the readers. Most local election years at least one town and usually more has a manual recount, usually not changing results, but in the smaller towns it can come down to a single ballot making the difference, so IIRC it has happened.

In the biggest city in the state, the wards are still small enough that you almost always run into someone you know, either doing the honors (familiar faces every year, graying) or voting, or (during local elections) trying to convince you to vote for them (embarrassing when it's someone you babysat for, to say the least). There's a reason why the Republicans' attempts at vote fraud here - rather famously - involved Keep In The Vote phone jamming conducted from Virginia, rather than the methods employed elsewhere in the country like bizarre ballot designs, intimidation, etc. For one thing, it's AFAIK the only crime in the state that can cause you to lose your own voting rights permanently, if you get caught doing it.

In terms of energy and enthusiasm levels (and on the part of the Paulites, stupidity levels), the Kucinich and Paul supporters (staked out on opposéd corners of Elm St most days, ironically) far outweighed anyone else's for any other candidate, which may have given them the idea that they had more support (and, importantly, name recognition) than they really did. If they're paying for it, fine - but they have yet to realize that if wishes were horses, imo.

Thanks to Florida 2000 and Ohio 2004, the accusation "The election was hacked" is going to be with us for a long, long time. That's as much a threat to democracy as having a bozo in the Office of the Vice President who uses the Constitution for Kleenex.

Voting is one of the basic mechanisms of democracy. If people lose faith in the voting process, then they lose faith in the legitimacy of the winners; and legitimacy is always in doubt, there is room for the truly illegitmate to take power.

Laertes #7: Good question, if by that you mean, why don't they hand-count all the ballots in public in the first place?

As far as I can tell, it's because the media have trained people, by now, to want the election results fast far more than they want it to be right.

Old-fashioned cheating methods via ballot box stuffing and/or destruction can be prevented with proper procedures, which were worked out a long time ago. With hand counts, the number of errors (absent the possibility of deliberate fraud) will necessarily be small.

But even when no-one is trying to cheat, people do make genuine mistakes when counting. If the vote was counted by hand but is very close, you still need to allow for a recount.

Harder work - obviously right, in the same way that any form of manual work is harder than having it done by a machine. But harder work yet to make them fair - on the contrary, it is the easiest thing in the world to make a manual count fair, and that's one very good reason for continuing to do them.

In UK elections, counters count in an open room, to which representatives of the candidates have access. The votes are bundled by selected candidate so that everybody has a very visible sense of how its going. If the margin is close, everybody stays on and counts again. In the last UK parliamentary election, the smallest majority was 37 votes, settled after three counts - two overnight, and the third the following afternoon after everybody had had a rest.

Is it absolutely 100% accurate? No, almost certainly not. But it is very hard to introduce systematic bias into the counting, so the answer to the more important question, does the candidate who got most votes win the election, is a simple yes. I can't remember a single serious accusation of unfairness introduced by the counting process at a UK election (there have certainly been other kinds of accusation, particularly over the fraudulent use of absentee ballots, just none to do with counting).

I agree that an audit should be done if there is a lack of confidence in the system. It is not enough for an election to be fair; it must be seen to be fair to work. People feel far more confident voting if they feel that their vote is properly counted.

As a side note, I can't remember my county ever having an election scandal, because they have very carefully set things up to be both efficient and auditable. The requirement that a poll board not have a majority of any party members speaks to one issue; the fact that ballot delivery must take place with two workers in the car speaks to another. (They don't have a problem with those two being relatives, though; I can see where that might be an issue at some point in the future.) Every ballot has a barcoded receipt so that a voter can check after the election that the specific vote was tabulated. I wonder how many people actually do.

There's manual counts of the numbers of ballots done at three points, at least, receipts and paper trails all over the place. The voter feeds the ballot into the machine him- or herself. Seriously, the only thing I ever saw at a polling station was an honest-to-goodness case of "electioneering" within 100 feet of the polls— somebody passing out a "voter's guide" to people in line. We told her off and she left and we showed the voters the trashcan if they wanted it.

It's not hard to have an above-board election, but it requires one thing, and that is a group of people who care that the election be run fairly. I had much rather mentally roll my eyes as people vote something truly stupid into law* than even think of tampering with the process.

"The central problem is closed-source, secret, unaccountable code—machine procedures that can’t be audited by independent outsiders. Voting-machine merchants typically defend the closed-source code inside their devices on patent and competetive grounds. We shouldn’t give a dime for this argument. We need our elections to be fair and to be perceived as fair far more than we need a voting-machine industry."

Sigh. Folks, I'm all for an accurate count, but I think the focus on technical details of the count obscures the reality that, even a perfectly honest ballot under standard US procedures is a semi-democratic thing at best. The majority vote system isn't very good. On top of which we're getting a count of a self-selected sample--that's below the standard of opinion polling, and surely most of us would want votes with actual authority to be above that standard? This is about to become a very serious problem; it looks like the Supreme Court is about to validate state voter-id rules, and the statutory deadline for Real-ID is May 11th. I predict turnouts back to pre-1960 levels in some states, and a majority of the people turned away in those states will be Democrats.

Marshall decried “the notion that public opinion surveys and even exit poll data is so reliable that any substantial discrepancy between those numbers and the official result is prima facie evidence of tampering. That is simply absurd.”

True but misleading. It isn't prima facie evidence; however, it does increase the probability that tampering occurred (see Bayes' Theorem), raising a reasonable suspicion of tampering.

He went on insist that “the possibility or danger of tampering is not a license to assume it or imagine it—in the absence of any evidence—any time the vote doesn’t go how we’d like.”

"assume or imagine" is a state of mind. In this country, we don't need licenses for states of mind (yet, anyway).

We need our elections to be fair and to be perceived as fair far more than we need a voting-machine industry.

And note that "perceived as fair" is the key point; they can't be proven to be fair. At best, you can give an upper bound on the probability that the reported result is incorrect.

"There are two basic types of voting errors: random errors and systemic errors. Random errors are just that, random. Votes intended for A that mistakenly go to B are just as likely as votes intended for B that mistakenly go to A. This is why, traditionally, recounts in close elections are unlikely to change things. The recount will find the few percent of the errors in each direction, and they'll cancel each other out. But in a very close election, a careful recount will yield a more accurate -- but almost certainly not perfectly accurate -- result.

Systemic errors are more important, because they will cause votes intended for A to go to B at a different rate than the reverse. Those can make a dramatic difference in an election, because they can easily shift thousands of votes from A to B without any counterbalancing shift from B to A. These errors can either be a particular problem in the system -- a badly designed ballot, for example -- or a random error that only occurs in precincts where A has more supporters than B."

Folks are worried about systemic errors in NH (if I understand properly - bias in the ballot readers used in NH's 'big' cities) - a recount will tend to uncover/eliminate the bias. If, instead, there's no systemic error, the recount will yield slightly more accurate numbers (maybe), but the percentages won't change much. HTH

I like the idea of post-election audits, but I don't think the Powers That Be are going to open that can of worms. Right now, US elections are perceived as far because they're declared to be fair (proof by emphatic assertion), and any actual examination of the process runs a risk of invalidating that perception.

FrancisT @4 - I emphatically agree re: running a Windows OS, and I'd go farther and demand a dedicated system. The vetting process for Nevada slot machines is a good model for voting hardware.

I disagree that voter ID is a priority. As far as I can see, multi-voting is a much lower threat to democracy than: gerrymandering, media coverage of elections that avoids issues, caging, voter intimidation, ballot box stuffing, push-polling...

The recent Supreme Court case on voter ID was a clash between a broken remedy for a non-existent problem and vote suppression that hasn't happened yet. The disappointing thing is that this court may rule that actual vote suppression has to occur before the Supreme Court will step in - so one new illegal method every four years can tilt close presidential elections. Joy.

Randolph Fritz @14 wrote I think the focus on technical details of the count obscures the reality that, even a perfectly honest ballot under standard US procedures is a semi-democratic thing at best.

I'm missing something. If the count has flaws that the recount lacks, why do the count at all? How about we just begin with a recount?

---

Well, the British still do manual ballot counts. It's not impossible, it's just a lot of hard work, and harder work yet to make them fair.

Is there any country other than the US that has moved away from paper ballots and hand counting?

This doesn't apply to primaries, but with general elections, I guess hand counting as standard is more difficult than in most countries because voters get to vote on so many different things at the same time in US November elections. If there are ballots from dozens of voting decisions to count on the same night, of course that takes longer by hand than if there are normally just one or two, or at best a handful, of different counts to do.

Sylvia Li @9:

Laertes #7: Good question, if by that you mean, why don't they hand-count all the ballots in public in the first place?

As far as I can tell, it's because the media have trained people, by now, to want the election results fast far more than they want it to be right.

A possible solution to that: Keep the electronic scans, but don't give them any legal status as official results- just give them the status of an information service for the interested public. Give only hand count results any official standing.

Elections got stolen long before the arrival of electronic voting machines. This is not to say that there shouldn't be accountability and paper trails, but the electronic machines should not be the only focus. There's a reason Harry Truman was known as the "Senator from Pendergast"

I note that Stokes suggests that no Republican candidate would "roll over" for Clinton the way the Dems did for Bush.

But I'm not so sure. There were a number of close races in 2006 where the Republicans didn't contest, much to the surprise of Democrats.

And my best guess for the reason is that they already knew that a hand-count would show that, in fact, the race wasn't close at all, and the Democrats had beat them in a landslide.

But that doesn't mean the noise machine won't use it throughout a Democratic victory (by any Democrat) to say that they don't believe the Dem won and that the vote was hacked. They'll just wait until it's too late to call for a recount to smear the winner for four/eight years.

Unfortunately -- I'd guess that a hand-recount in NH would reveal only trivial and random errors.

This result would then be cited as conclusive evidence that the electronic vote-counting system is accurate.

It would, of course, be no such evidence at all; it woud indicate only that the system _can_ be (reasonably) accurate, and that there was no tabulating/reporting fraud in _this_ election.

And yes, now that you mention it, I do seem to have lost my life-long conviction that (possibly aside from a few places such as Chicago) American elections are conducted fairly and honestly. Counting the votes electronically in a black box is no better than having The Authorities take the ballots away and count them in secret. As Stalin is reported to have said, "Who votes doesn't matter; what matters is who _counts_ the votes".

For my money, the counting of the paper ballots should be done at the polling stations, as soon as they are closed, under the close observation of representatives of any of the interested political parties. Failing that, random spot-check manual (re-)counts should be mandatory, with provisions for a total manual recount if significant discrepancies are discovered.

Mind you, I'm sure The American Voters will continue to elect, occasionally, some really dreadful people to high offices, but it's necessary to know that they _did_ elect those people.

Some of this stuff has been going around in fannish circles since 2000.

It looks as though the NH Primaries are of comparable complexity to a UK election, and so amenable to hand-counting, either as the primary count or as a check.

For me, the shocking difference is that the management of American elections is so overtly partisan. How much of the difference is law, and how much tradition, I don't know, but we don't give elected politicians the direct control that they appear to have in the USA.

In some ways, our system still has traces of the divine right of Kings, while the equivalent American political magic is the election. And mixed in with that is a strange echo of the Sublime Porte, with so much done by the political eunuchs of our professional civil administration.

Neither election nor apolitical appointment makes an honest man out of a rogue. It's not English gold, not this time, but it's Parcel of Rogues time.

That's why the checks are needed, rather than relying on the magic ballot box.

The US is not the only country having problems with voting machines. In the Netherlands in 2006 and 2007 considerable doubt was thrown up about the security of the voting computers to the point that one particular brand was disqualified for use, with a voting commission going so far as to recommend abandoning all existing machines entirely in favour of a two stage system. That would mean using a computer to vote, which prints a ballot which is then scanned in using OCR in another computer, with the physical ballots there as a safeguard.

A bunch of states currently mandate post-election audits, and one congresscritter (Rush Holt) has been repeatedly trying to push a national standard for paper records and post-election audits through, so it's not like this is some wild-eyed idea that the PTBs will never let happen. I believe some people in Ohio went to jail over gaming these requirements in 2004, and an independent review more-or-less concluded that the equipment being used there didn't really support proper post-election audits. (You could count the paper records, but you couldn't reliably link them back the the right set of electronic records.)

One thing to understand about elections in the US is that they're run locally--federal law has some impact, but mostly the relevant law is state law, and local officials are actually running the election, typically are choosing which equipment to use within guidelines given by the state, designing the ballots, etc. There are *huge* variations between how the same election using the same equipment is run, county by county and state by state.

elise #13:

The issue isn't whether the voting machine is open source. Plenty of open-source software with lots of expert scrutiny turns out to have bugs, which is one reason why (say) Firefox is constantly getting software updates. The issue is that even given the source code for a complicated system, I can't prove to myself that there's not a trapdoor or security-relevant bug in there somewhere. So you need some mechanisms to keep that software honest, in the sense that you can independently check up on the results. Paper records are far from perfect for this (there are attacks they don't help you detect, and it's not clear that enough people check the paper records carefully enough to catch a lot of practical attacks), but they're what we have that we can field today. (In fact, that we could field many years ago.)

Albatross, who claimed that open-source software doesn't have bugs? That's a complete red herring relative to anything that's been said here.

The point is that open-source software can be examined. Of course it can be made deliberately confusing, but there's nothing so thoroughly obfuscated as code that can't be examined at all.

I'm not an open-source purist by any means. But it seems to me that the administration of public elections is exactly the sort of task for which all procedures, including electronic procedures, should be as transparent as possible.

Elise's quoted comment in #13 said that the central problem is that the source isn't disclosed. But that's just wrong, that's not the central problem, that's a secondary, annoying additional problem. Of course, voting machine software ought not to be secret, but opening it up would not make DREs a sensible way to capture and count votes!

My point is that disclosing the source code and other internals is a good thing to do, but neither necessary nor sufficient to get good elections. It's not sufficient, because code review isn't a reliable way to find either security-relevant bugs or intentionally-installed weaknesses (good luck telling them apart). It's not necessary, because even with full disclosure of the internals, you still have to audit the results in some meaningful way to trust the result. Even disclosing the code, you *can't* trust it.

There is no way to make any kind of electronic vote tabulation system acceptable because electronic vote tabulation includes invisible state changes.

Paper ballots, counted by hand in public, just isn't very difficult to do, and the ballot, assuming relatively straightforward care in marking mechanisms, is hard to make undergo undetectable state change.

Getting the total to be reported accurately is more difficult, but not that difficult. (More difficult because fewer people are involved.)

Note that the current media situation in the States makes having an accurate count relatively useless, because it's clear that the reported count will be decided by a very small number of people inside a small number of media organizations, and that local protests to the effect of "those are not the totals we reported" will take months or years to receive significant attention.

The key is completely open public scrutiny at ever step; none of this 'member of the political party' nonsense, all it takes is citizenship.

The other key is not to optimize the process for things that don't matter; the measure of efficiency for voting systems is not speed or effort, but the perceived probity of the mechanism.

Tangential note -- Elections Canada -- a non-partisan permanent part of the Canadian Civil Service -- uses rather complicated paper ballots, where the ballot tears off a serial number slip, serial number blocks are assigned time ranges at the polling place, random assignment of serial number ranges is made by polling place by people who the poll workers can't identify, and there are substantial anti-tamper and anti-forgery measures in the ballots.

It's not perfect, but then again nothing will be. It seems to work pretty well.

The point is that open-source software can be examined. Of course it can be made deliberately confusing, but there's nothing so thoroughly obfuscated as code that can't be examined at all.

But open source is no real protection against deliberate tampering, either.

Anyone who doesn't understand why that's true should go read Ken Thompson's Reflections on Trusting Trust, one of the seminal works in the field of computer security.

The short summary is this: malicious code can be invisibly inserted into compiled software by hacking the compiler (or assembler or linker or other tool) used to convert the human-readable source code into machine-executable binary code.

Even recompiling the compiler itself from clean source is no guarantee, since a hacked compiler can also propagate its own malicious code by inserting it into any newly-compiled instance of the compiler.

Schneier may be an expert on computer security, but he clearly doesn't understand how compilers work; the idea that two different compilers should produce bit-for-bit identical binary code from the same source code (and that any deviation is an indication of tampering) is laughably incorrect, as anyone who has ever built a compiler can tell you.

(In addition to that, his remark that "...if you're really worried about "turtles all the way down," you can write Compiler B yourself for a computer you built yourself from vacuum tubes that you made yourself" is one of the most fatuously stupid things I've ever heard anyone say on the topic.)

Open source is no guarantee of anything.

But Alan Bostick's point above is crucial: no matter how convoluted you get in trying assure that an e-voting system is secure, the most damaging aspect is that it destroys trust in the system.

It makes it easy for anyone to claim that election results they dislike are the result of tampering; and it makes it virtually impossible to convincingly refute such claims.

Even if no actual hacking ever occurs, that destruction of trust is pernicious. It casts doubt on the legitimacy of any and all elections, no matter how scrupulously clean they may be.

With regard to Graydon@32; there are many copies of Reflections on Trusting Trust available through Google Scholar; the link you posted goes to the access-controlled ACM repository. I mention this only because it's one of my favorite papers ever (along with Life at Low Reynolds Number. Go read that one too! It's got nothing to do with elections but it's really really interesting even if you have to skip over the particularly technical bits.)

One complicating issue for doing hand counts in US elections is that we often have really long ballots, as a result of holding the federal, state, county, city, and school district elections together. I believe that a couple years ago, there was an Arizona opscan ballot that ran to four pages. That doesn't mean it's impossible to hand count, just that it's more of a pain than you'd think. These long, complicated ballots also probably don't do a good job of getting informed participation by voters, since by the time you're on page four, your eyes have probably glazed over.

Paper ballots, counted by hand in public, just isn't very difficult to do, and the ballot, assuming relatively straightforward care in marking mechanisms, is hard to make undergo undetectable state change.

Getting the total to be reported accurately is more difficult, but not that difficult. (More difficult because fewer people are involved.)

Getting correct reports there should be easier now than it used to be: With the availability and price of consumer electronics today- not to mention what we'll probably get there in five or ten years- it shouldn't be too difficult to require vote counters to videotape the entire process, uncut, and then publish the videos on votetube.gov or somewhere. Same, if you want, for the going-ons at all places where reports from individual polling stations are received and added up. Allthough instead of the latter, you could as well have a large page on the web that shows all polling station reports and how they add up, with each report linking to the respective video. And if you don't trust the 'official' videos, let representatives of all candidates peacefully enter the rooms where the votes are counted and tape their own ones. One of the many possible applications of Charlie Stross' 'livelogs', if you want.

Raphael @ 37: That's the way we usually do elections around here (i.e. Canada): different ballot sheets for different items being voted on. Though there would obviously be problems if there were many different things to vote on -- I don't think I've ever had more than three or four sheets to deal with.

Paper ballots aren't a panacea, but they have the huge advantage of putting the primary data in an auditable form.

The other thing about voting machines that hasn't really been commented upon is that, in the end, the task they have to accomplish is pretty much what Herman Hollerith used punch cards for in the first place. The complication, such as it is, rests in being fanatical about making sure that each input is valid. 99% of the code in an electronic voting machine is about simply presenting the images and decoding the responses. There's still some decoding to do with punch card ballots, to be sure, but it's much simpler; and the separation of the record from the decoding means that if you do the latter incorrectly, you can go back and do it again right.

While there's lots to to said in favor of opening the source of any computerized election system, suggesting that if the system was open, that the results would not need to be audited is nonsensical.

We have an experiment that can not be repeated. There are just too many ways that the count could be incorrect, while on the other hand, the correctness of the count is critical to the perceived fairness of the election. Elections must not just be fair, they must be perceived to be fair.

There should always be some kind of audit recount. And if the outcome of the audit doesn't meet the .99 confidence test, there should be a larger recount.

And running SELECT candidate, sum(*) FROM votes GROUP BY candidate
again is not a valid audit.

...(along with Life at Low Reynolds Number. Go read that one too! It's got nothing to do with elections but it's really really interesting even if you have to skip over the particularly technical bits.)

That we are suspicious of the results is not a good reason for an audit.

That there has been a vote is a very good reason for an audit.

One possible procedure: the optical count should be done on numbered bundles of votes, say a thousand at a time. Then, under the watchful eyes of the candidates and/or their observers, a random subset of the numbered bundles are chosen for a manual recount, which is compared to the optical scans for each bundle. I can describe a procedure by which the bundles can be chosen such that everyone can be confident it's random, if anyone's curious. This is cheap and rapidly lends high confidence to the optical scan - now the only way to throw the election is to add or remove paper ballots.

I can't believe this isn't what is always done, no matter what the results, when optical scanners are used to count votes.

#33 the approach suggested by David A. Wheeler, cited by Bruce Schneier in Countering "Trusting Trust" isn't any help

Yes it is. Try reading the explanation again more carefully. The idea isn't that "two different compilers should produce bit-for-bit identical binary code from the same source code", it's that the same compiler, built in two different ways from the same source, should produce bit-for-bit identical code (or at least that the differences should be small enough to be anlaysable and explicable).
The binaries X and Y, built from the same source by different compilers, are expected to be different.

The "vacuum tubes" are obviously hyperbole, but the sufficiently paranoid might try an approach like VIPER

But arranging self inserting backdoors in multiple versions of gcc on different platforms with crosscompiling and pcc is not going to be practical. Ken Thompson was writing about a time when there was only one C compiler.